Advisories : /bin/sh creates insecure tmp files

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : /bin/sh creates insecure tmp files

Title:	/bin/sh creates insecure tmp files
Released by:	Paul Szabo
Date:	23rd November 2000
Printable version:	Click here

Similarly to the recently discussed tcsh vulnerability, the Bourne shell

/bin/sh also creates temporary files in an insecure way, and can be

exploited to create arbitrary files or to overwrite existing ones. While

this vulnerability can be exploited for a denial-of-service attack, it is

not clear how to use it to gain additional privileges.



I have confirmed this vulnerability in two (recent-version) commercial

UNIXes.



Demonstration:



#!/bin/sh -x

ls -l /tmp/nologin

ln -s /tmp/nologin /tmp/sh$$0

cat <http://www.maths.usyd.edu.au:8000/u/psz/

School of Mathematics and Statistics  University of Sydney   2006  Australia